1. Change default PCD in SecurityPkg to 4 (DENY_EXECUTE) in DEC file.

2. ASSERT if PCD value is set to 5 (QUERY_USER_ON_SECURITY_VIOLATION). 3. Update override PCD setting from 5 to 4 in platform DSC file. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ni Ruiyu <ruiyu.ni@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14607 6f19259b-4bc3-4df7-8a09-765794883524
author: Fu Siyuan <siyuan.fu@intel.com> 2013-08-28 09:06:40 +0000
committer: sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> 2013-08-28 09:06:40 +0000
commit: db44ea6c4e093c1a53d752bb21b9eba8ad8fdaa9 (patch)
tree: a00daff473008535bad283c2a9f1b97b170b50c6 /SecurityPkg
parent: 98fed08f9f55e623b8f95518f69e35aca9ff1541 (diff)
2 files changed, 14 insertions, 3 deletions
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 9e4bf8681..2458ee2ae 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1086,6 +1086,14 @@ DxeImageVerificationHandler (
     return EFI_ACCESS_DENIED;
   }
 
+  //
+  // The policy QUERY_USER_ON_SECURITY_VIOLATION violates the UEFI spec and has been removed.
+  //
+  ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION);
+  if (Policy == QUERY_USER_ON_SECURITY_VIOLATION) {
+    CpuDeadLoop ();
+  }
+
   GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
   //
   // Skip verification if SecureBoot variable doesn't exist.
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 4c3129a8a..610682717 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -87,7 +87,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005 
-  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00|UINT32|0x00000001
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.
+  gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
   
   ## Pcd for removable media.
   #  Removable media include CD-ROM, Floppy, USB and network.
@@ -98,7 +99,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005
-  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x05|UINT32|0x00000002
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.
+  gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002
   
   ## Pcd for fixed media.
   #  Fixed media include hard disk.
@@ -109,7 +111,8 @@
   #  DEFER_EXECUTE_ON_SECURITY_VIOLATION    0x00000003
   #  DENY_EXECUTE_ON_SECURITY_VIOLATION     0x00000004
   #  QUERY_USER_ON_SECURITY_VIOLATION       0x00000005  
-  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x05|UINT32|0x00000003
+  #  NOTE: Do NOT use QUERY_USER_ON_SECURITY_VIOLATION since it violates the UEFI specification and has been removed.
+  gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003
   
   ## Defer Image Load policy settings.
   #  The policy is bitwise.
author	Fu Siyuan <siyuan.fu@intel.com>	2013-08-28 09:06:40 +0000
committer	sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>	2013-08-28 09:06:40 +0000
commit	db44ea6c4e093c1a53d752bb21b9eba8ad8fdaa9 (patch)
tree	a00daff473008535bad283c2a9f1b97b170b50c6 /SecurityPkg
parent	98fed08f9f55e623b8f95518f69e35aca9ff1541 (diff)